![Hackers Bag $1.3M in Pwn2Own Berlin Exploits [2026] — Threat Digest](/og-image.svg)
The roar of applause — or perhaps, the frantic typing of keyboards echoing through convention halls — has faded. Pwn2Own Berlin 2026 has wrapped, leaving behind a trail of discovered vulnerabilities and a fat payday for those who found them: nearly $1.3 million awarded to white hat hackers. This wasn’t just about finding bugs; it was a high-stakes exhibition of just how fragile our digital edifice can be, from the bedrock of operating systems to the cutting edge of AI.
Forty-seven unique vulnerabilities were successfully demonstrated, netting an impressive $1,298,250 in total bounties, according to TrendAI’s Zero Day Initiative (ZDI). It’s a stark reminder that even the most scrutinized software, the kind that underpins global finance and critical infrastructure, still harbors secret doorways.
And who collected the lion’s share? The usual suspects, by and large. Devcore and StarLabs SG didn’t just win; they dominated, scooping up close to $750,000 between them. Devcore, in particular, pulled in a cool $200,000 for a remote code execution exploit on Microsoft Exchange that offered System privileges. Imagine, the keys to the kingdom, won with a few lines of expertly crafted code. They followed that up with another $175,000 for a Microsoft Edge sandbox escape and another $100,000 for punching a hole through Microsoft SharePoint. It paints a picture of a company whose flagship products, despite constant patching and security focus, remain fertile ground for inventive exploitation.
StarLabs SG, meanwhile, snagged $200,000 for a VMware ESX exploit that cleverly included a cross-tenant code execution add-on. VMware was present, acknowledging the lucrative nature of these exploits with a potential $200,000 bounty for ESXi issues. It’s a cat-and-mouse game, with vendors setting high prices to incentivize disclosure, and researchers pushing the boundaries to claim them. The third-place finisher, Out Of Bounds, still managed a respectable $95,750.
The AI Gold Rush
Unsurprisingly, the AI product category was a shining beacon for exploit hunters. Forty-thousand-dollar bounties were handed out for successful hacks against LiteLLM, OpenAI Codex, and LM Studio. These aren’t just niche tools; they represent the rapidly expanding frontier of artificial intelligence, now being integrated into everything from development workflows to enterprise applications. The fact that these systems, often built with speed and innovation as paramount, are already showing significant vulnerabilities is, frankly, a cause for concern.
Cursor exploits fetched rewards of $15,000 and $30,000, while an Ollama exploit snagged $28,000 — though that latter one had the caveat of using a known vulnerability, a detail that doesn’t diminish the success but certainly adds a layer of complexity to the narrative. Further $20,000 rewards were distributed for exploits targeting OpenAI Codex, Claude Code, LM Studio, NVIDIA Megatron Bridge, and Chroma. It feels less like a bug hunt and more like a systematic audit of the AI ecosystem’s nascent security posture.
Beyond AI, traditional targets still commanded significant payouts. Red Hat Linux, Windows 11, and various NVIDIA components like the Megatron Bridge and Container Toolkit were also successfully exploited, with bounties ranging from $2,500 to $50,000. It’s a diverse ecosystem of targets, reflecting the broad attack surface available to malicious actors.
The Unseen Casualties: Missed Opportunities and Direct Disclosures
Not everyone was a winner, of course. Eight attempts failed to yield results, with targets including Oracle Autonomous AI Database, NV Container Toolkit, OpenAI Codex, Safari, SharePoint, Red Hat Enterprise Linux for Workstations, Firefox, and VMware ESX. These failures are just as instructive as the successes, highlighting areas where defenses might be holding, or perhaps where researchers simply haven’t found the right key yet.
What’s more telling, perhaps, are the stories of those who couldn’t even get a foot in the door. International Cyber Digest reported that many teams were locked out entirely, with all available time slots for participation already snatched up. This scarcity of opportunity led some to bypass the contest altogether, opting instead to disclose their findings directly to vendors or even to begin public disclosures. This distributed model of vulnerability reporting, outside the formal Pwn2Own structure, suggests a growing urgency among researchers and a potential challenge for coordinated disclosure efforts.
Participants earned $40,000 rewards for hacking LiteLLM, OpenAI Codex, and LM Studio.
Why Does This Matter for Developers?
This isn’t just a financial report for elite hackers. The implications ripple outward, particularly for developers and security professionals. The consistent success against major platforms like Microsoft and VMware, coupled with the rapid discovery of flaws in new AI technologies, underscores a fundamental truth: the pace of development often outstrips the pace of security hardening. For developers, it means a constant need to be aware of the latest exploit techniques, even in their own toolchains. It’s not enough to write functional code; it must be secure code, built with an understanding of how it might be — and likely will be — attacked. The architecture of AI models, in particular, presents new challenges, as their emergent behaviors can sometimes hide vulnerabilities that traditional static analysis might miss.
The sheer volume of successful exploits across such a wide range of technologies suggests a systemic issue: either the design and implementation of these systems are fundamentally flawed, or the current security paradigms are insufficient. We’re seeing a clear architectural shift where complex, interconnected systems create emergent attack vectors that were perhaps unforeseen in their initial design. The interconnectedness of cloud services, containerization, and the ever-present AI layer means a compromise in one area can easily cascade into another. It’s a digital house of cards, and Pwn2Own Berlin 2026 just demonstrated how easily a few well-placed nudges can topple it.
Pwn2Own: More Than Just a Game
Pwn2Own has evolved beyond a mere competition; it’s a vital, albeit perhaps uncomfortable, barometer of the global cybersecurity landscape. The millions poured into finding and disclosing vulnerabilities are, in essence, an investment in collective security. Yet, the persistent and high-value discoveries in established software, alongside the alarming findings in nascent AI technologies, serve as a constant, loud warning. The underlying architecture of our digital world is still being stress-tested, and the results from Berlin are in: there’s still a lot of work to be done.
🧬 Related Insights
- Read more: Cloud Security Best Practices for AWS, Azure, and Google Cloud
- Read more: Qilin, Akira, Dragonforce: Ransomware’s Brutal Top Trio Claims 40% of March Carnage
Frequently Asked Questions
What was the total prize money at Pwn2Own Berlin 2026? Hackers earned nearly $1.3 million in total prize money at the Pwn2Own Berlin 2026 event.
Which companies had their products exploited at Pwn2Own Berlin 2026? Products from Microsoft (Windows, Exchange, Edge, SharePoint), VMware (ESX), LiteLLM, OpenAI Codex, LM Studio, Cursor, Claude Code, NVIDIA Megatron Bridge, NVIDIA Container Toolkit, Red Hat Linux, and others were successfully exploited.
Did AI products face security issues at Pwn2Own Berlin 2026? Yes, AI products were a significant target and saw numerous successful exploits, with substantial bounties awarded for hacking platforms like LiteLLM, OpenAI Codex, and LM Studio.
